Azure Active Directory Authentication
Installation
The following CLI command will install required packages and generate boilerplate code and files for Redwood Projects:
yarn rw setup auth azureActiveDirectory
If you prefer to manually install the package and add code, run the following command and then add the required code provided in the next section.
cd web
yarn add @azure/msal-browser
Setup
To get your application credentials, create an App Registration using in your Azure Active Directory tenant and make sure you configure as a MSAL.js 2.0 with auth code flow registration. Take a note of your generated Application ID (client), and the Directory ID (tenant).
Learn more about authorization code flow.
Redirect URIs
Enter allowed redirect urls for the integrations, e.g. http://localhost:8910/login
. This will be the AZURE_ACTIVE_DIRECTORY_REDIRECT_URI
environment variable, and suggestively AZURE_ACTIVE_DIRECTORY_LOGOUT_REDIRECT_URI
.
Authority
The Authority is a URL that indicates a directory that MSAL can request tokens from which you can read about here. However, you most likely want to have e.g. https://login.microsoftonline.com/<tenant>
as Authority URL, where <tenant>
is the Azure Active Directory tenant id. This will be the AZURE_ACTIVE_DIRECTORY_AUTHORITY
environment variable.
import { AuthProvider } from '@redwoodjs/auth'
import { PublicClientApplication } from '@azure/msal-browser'
import { FatalErrorBoundary } from '@redwoodjs/web'
import { RedwoodApolloProvider } from '@redwoodjs/web/apollo'
import FatalErrorPage from 'src/pages/FatalErrorPage'
import Routes from 'src/Routes'
import './index.css'
const azureActiveDirectoryClient = new PublicClientApplication({
auth: {
clientId: process.env.AZURE_ACTIVE_DIRECTORY_CLIENT_ID,
authority: process.env.AZURE_ACTIVE_DIRECTORY_AUTHORITY,
redirectUri: process.env.AZURE_ACTIVE_DIRECTORY_REDIRECT_URI,
postLogoutRedirectUri: process.env.AZURE_ACTIVE_DIRECTORY_LOGOUT_REDIRECT_URI,
},
})
const App = () => (
<FatalErrorBoundary page={FatalErrorPage}>
<AuthProvider client={azureActiveDirectoryClient} type="azureActiveDirectory">
<RedwoodApolloProvider>
<Routes />
</RedwoodApolloProvider>
</AuthProvider>
</FatalErrorBoundary>
)
export default App
Integration
Roles
To setup your App Registration with custom roles and have them exposed via the roles
claim, follow this documentation.
Login Options
Options in method logIn(options?)
is of type RedirectRequest and is a good place to pass in optional scopes to be authorized. By default, MSAL sets scopes
to /.default which is built in for every application that refers to the static list of permissions configured on the application registration. Furthermore, MSAL will add openid
and profile
to all requests. In example below we explicit include User.Read.All
to the login scope.
await logIn({
scopes: ['User.Read.All'], // becomes ['openid', 'profile', 'User.Read.All']
})
See loginRedirect, PublicClientApplication class and Scopes Behavior for more documentation.
getToken Options
Options in method getToken(options?)
is of type RedirectRequest. By default, getToken
will be called with scope ['openid', 'profile']
. As Azure Active Directory apply incremental consent, we can extend the permissions from the login example by including another scope, for example Mail.Read
.
await getToken({
scopes: ['Mail.Read'], // becomes ['openid', 'profile', 'User.Read.All', 'Mail.Read']
})
See acquireTokenSilent, Resources and Scopes or full class documentation for more documentation.